Trojans in uTorrent Mods and BitTorrent (Armadillo) Mods packed?
BitTorrent 6.x SBI Mods (Armadillo 5.x) - http://www.sb-innovation.decheck by some mods outgoing connections / requests activity to program exe's when the bittorrent 6 mod is closed. See firewall log by enable and disabled rule for bittorrent_mods exe's.
Remarks:
Kaspersky, BitDefender have a unpacking engine include for PECompact and Armadillo 4 - 5 also manual unpacking shows the same result in multi_100_seeder and one kind of mod by Bittorrent 6
uTorent seeder x100 Mods (PEcompact ver.2.78a ~2.80 with ADDED DLL INJECTION)
see screenshot:
NEW AV Signature Updates 05.02.2005
BitDefender Internet Security 2008 v11.0.15
Virus Database Date: 06.02.2008
Known Viruses: 979216
Now new av signatures improved. Detect already in inno setup installer: µtorrent 1.7.7 LP_setup.exe and others
AV-Signature + engine and modules hourly updates:
BitDefender Internet Security 2008 v11.0.15 German
Virus Database Date: 06.02.2008
Known Viruses: 979232
The 3th AV def. update today does not more show the above screen but by doing innounp / inno unpack or running setup, one mod utorrent 1.7.x. multi100_seeder.exe found positive Trojan AX patched in the temp folder and by skip also in the unpacked folder.
Software Description Software Version Virus Database Date Known Viruses
BitDefender Internet Security 2008 11.0.15 06.02.2008 979348
-------------------------------------------------------------------------------
Some (packers) are not detected:new Backdoor
Creates the following files to Windir\Media folder (same as some very old Backdoors but different signatures):
C:\WINDOWS\Media\csrss.exe
C:\WINDOWS\Media\MSWINSCK.OCX
Adds to the value "Shell"="explorer.exe"
"Shell"="explorer.exe" C:\WINDOWS\Media\csrss.exe"
to the registry key:
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
and maybe like the old Backdoor:
"RegWrite"="c:\windows\media\csrss.exe"
to the registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
After executing it run a "fake" csrss.exe from folder windir\Media in process manager as soon windows starts together with the original \system32 Microsoft Corporation Client Server Runtime Process (csrss.exe) and connect to a webserver.
After removing these files under windir\Media appears :
No AV, Anti Spyware, Anti Malware Program or Startup Manager Tools ever monitored logon shell:
WinLogon = Explorer.exe for changes
extensions for example :
"Shell"="explorer.exe C:\WINDOWS\Media\csrss.exe"
"Shell"="explorer.exe C:\any application to run with startup test.dll"
21 comments:
Looks like its in all seeder multi 100 mods 'code parts' Trojan connect to someone if seeding torrents. Dangerous Brothers
there are no virus in the files its only the mode as its packed that results as a virus because the av apps doesnt recognize it right
are you sure cause I unpacked / removed the protection fixed IAT etc... and did just a dump but all solutions showing the same as well in clean unpacked status. Is it possible that leecher multi 100 have in the code changes an embedded positive string since the very first source?
Kav have an unpacking engine for the latest armadillo and pe compact, bitdefenders engine was come a update this day for the module pe compact 2.8x / inno 5.x with added dll's to the packers. Detection error?
is multi_100_seeder different packed as all others? Get Virus alert only by multi100_seeder mods.
Anyone can prove that they are clean ? Show me
Bittorrent mod phone out from alone.
Check Wireshark logs. http://www.wireshark.org/
I don't think seba put trojans in the exe files if not anyone was give him a 'bad' source.
Why have it been packed so bad that virus scanner detect trojan??? Why doe it need to be packed?
-------------------------------------
"there are no virus in the files its only the mode as its packed that results as a virus because the av apps doesnt recognize it right"
There are no virus or trojan in these mods. Seba and the SBI people only change the original with hexeditors and don't compile it new with a virus in it.
Your screenshot is about sebas utorrent mod why you post the sbi link together with it? Sebas site and the SBI forum are different places...
The problem with bittorrent is a general problem and has nothing to do with the sbi mod. They've created it for people which want use this client. But if there's spy function in it you must find it in the original too and than we should warn all people about this security risk.
If the Top 10 AV scanner goes on you know whats wrong. About the 5 others in VirusTotal which almost shows positive, we all know they can be wrong. Scan original scan the mods there are quite different results. 5 BitTorrent Mods and always the x100 seeder mod is infected. I hope this site admin post from the email the unpacked one I did to see the exe protected and unpacked.
They should better use a "more" compatible exe compressor.
I can't organize the original mod source but i can rebuild it for you that you can check it, because i know all tools they've used. The sourcefile is from your site...
http://uploaded.to/?id=nwqgpw
Here is the bittorrent_nocomplete_report-seeder _100x mod packed with the same tools like the one in the pack.
http://www.mediafire.com/?fexehrzu9gh
Can you please check it if you've the same results. If you've the same warnings i can upload the unpacked file for you but i can't post the link here.
NoCompl_Report-Seeder_Multi-100x is a decent nice backdoor inside. Maybe the Packer patch it in, exe packer crk v possible. Connect to a server in xx. Try run without dl/up (idle) a torrent and see the Wireshark logs.
Put it later on ollyice to see if its w/o Arm too. Compared to original no connection to that server. IP to country database server lookup exclude and the rest of bt/ut.
AV don't give any interrupt but overall the result is horrible:
http://www.virustotal.com/analisis/663ec4d97ab4bcd95d8e6c04d57a2363
maybe used the armad. packer from team ... ? ? ?
pirated armadillo packer put backdoor by packing in exe and dll by client online ,possible
Version
http://info.prevx.com/aboutprogramtext.asp?PX5=DCF6FA2430E7C54E05ED0D20E0A57C00C9FAE183
http://www.virustotal.com/analisis/65c5758909afd65e0c9366d1f2226d47
cause:
Microsoft Visual C++ ver 5.0/6.0 , not packed !
PEiD: Armadillo v1.71 / wrong -(
Thanks for testing the file.
Then the packer must be the problem. I've used this version for packing and to include the splash screen.
SoftwarePassport/Armadillo Protection System v5.0
On their homepage you can download a trialversion for their newest release v5.4.
http://www.siliconrealms.com/
Protect my computer and eliminate the bugs and viruses.
When you are searching for a great scan that can help you keep your computer running like new, I would suggest that you visit NOT The FAKE PAGE! Lucky it known and route to zero http://127.0.0.1 Here I found the antispyware solution from Search-and-destroy and it was exactly what I needed to protect my computer and eliminate the bugs and viruses that would make it run slow, freeze up and shut down. Search-and-destroy Antispyware was the answer to my computer bug problems and it was certainly worth every penny I spent to have this great antispyware to protect my PC. Not only does it work great but it cost less than many of the other scans available.
The real website is:
http://www.safer-networking.org
and its freeware!
be in caution this is a fake site http://whois.domaintools.com/search-and-destroy.com
Remove AAV Trojan Patch or Ai Trojan Patch
http://www.tips29.com/2009/01/remove-aav-trojan-patch-or-ai-trojan.htmll
Post a Comment
We would appreciate if you as readers of our blog, show us some feedback by signing up to this site with Friend Connect.
This will encourage us to publish updates in the future.